Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Get Qt Extensions
  • Unsolved
Collapse
Brand Logo
  1. Home
  2. Qt Development
  3. General and Desktop
  4. Security implications of running use script in QJSEngine
Forum Updated to NodeBB v4.3 + New Features

Security implications of running use script in QJSEngine

Scheduled Pinned Locked Moved Unsolved General and Desktop
8 Posts 2 Posters 943 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • AndyBriceA Offline
    AndyBriceA Offline
    AndyBrice
    wrote on last edited by
    #1

    I am planning to use QJSEngine to let the user script custom data transforms in https://www.easydatatransform.com . I am just calling QJSEngine::evaluate() and QJSEngine::call() on some script written by the user. I'm not exposing any application objects. What are the security implications? Can they open a web page? Can they read/write files or the registry? Or is it all sandboxed? I had a Google, but I didn't find much.

    JKSHJ 1 Reply Last reply
    0
    • AndyBriceA AndyBrice

      I am planning to use QJSEngine to let the user script custom data transforms in https://www.easydatatransform.com . I am just calling QJSEngine::evaluate() and QJSEngine::call() on some script written by the user. I'm not exposing any application objects. What are the security implications? Can they open a web page? Can they read/write files or the registry? Or is it all sandboxed? I had a Google, but I didn't find much.

      JKSHJ Offline
      JKSHJ Offline
      JKSH
      Moderators
      wrote on last edited by
      #2

      @AndyBrice said in Security implications of running use script in QJSEngine:

      I am planning to use QJSEngine to let the user script custom data transforms in https://www.easydatatransform.com . I am just calling QJSEngine::evaluate() and QJSEngine::call() on some script written by the user. I'm not exposing any application objects. What are the security implications? Can they open a web page? Can they read/write files or the registry? Or is it all sandboxed? I had a Google, but I didn't find much.

      Start with https://doc.qt.io/qt-5/qtjavascript.html#implications-for-application-security The QJSEngine has the same privileges as the C++ code in your application.

      • Does your app have the permissions to launch a web page? (through an external browser. QJSEngine does not have a built-in web engine)
      • Does your app have permissions to read/write files or the registry?

      Qt Doc Search for browsers: forum.qt.io/topic/35616/web-browser-extension-for-improved-doc-searches

      AndyBriceA 1 Reply Last reply
      2
      • JKSHJ JKSH

        @AndyBrice said in Security implications of running use script in QJSEngine:

        I am planning to use QJSEngine to let the user script custom data transforms in https://www.easydatatransform.com . I am just calling QJSEngine::evaluate() and QJSEngine::call() on some script written by the user. I'm not exposing any application objects. What are the security implications? Can they open a web page? Can they read/write files or the registry? Or is it all sandboxed? I had a Google, but I didn't find much.

        Start with https://doc.qt.io/qt-5/qtjavascript.html#implications-for-application-security The QJSEngine has the same privileges as the C++ code in your application.

        • Does your app have the permissions to launch a web page? (through an external browser. QJSEngine does not have a built-in web engine)
        • Does your app have permissions to read/write files or the registry?
        AndyBriceA Offline
        AndyBriceA Offline
        AndyBrice
        wrote on last edited by
        #3

        @JKSH I did see that thanks. But I'm still not clear what they can actually do from Javascript. Is there no sandboxing?

        JKSHJ 1 Reply Last reply
        0
        • AndyBriceA AndyBrice

          @JKSH I did see that thanks. But I'm still not clear what they can actually do from Javascript. Is there no sandboxing?

          JKSHJ Offline
          JKSHJ Offline
          JKSH
          Moderators
          wrote on last edited by
          #4

          @AndyBrice said in Security implications of running use script in QJSEngine:

          I'm still not clear what they can actually do from Javascript. Is there no sandboxing?

          There is no sandboxing.

          As the article suggests, the JavaScript code is allowed to do anything that the C++ code can do.

          Qt Doc Search for browsers: forum.qt.io/topic/35616/web-browser-extension-for-improved-doc-searches

          AndyBriceA 1 Reply Last reply
          2
          • JKSHJ JKSH

            @AndyBrice said in Security implications of running use script in QJSEngine:

            I'm still not clear what they can actually do from Javascript. Is there no sandboxing?

            There is no sandboxing.

            As the article suggests, the JavaScript code is allowed to do anything that the C++ code can do.

            AndyBriceA Offline
            AndyBriceA Offline
            AndyBrice
            wrote on last edited by
            #5

            @JKSH I tried a few things:

            Opening a url:
            window.open();

            Reading a file:
            new XMLHttpRequest();

            Accessing the registry:
            new ActiveXObject("WScript.Shell");

            None of these worked. So is there anything nasty I can do from inside QJSEngine? If so, what?

            JKSHJ 1 Reply Last reply
            0
            • AndyBriceA Offline
              AndyBriceA Offline
              AndyBrice
              wrote on last edited by
              #6

              Just bumping this in the hope that someone can give me an answer.

              1 Reply Last reply
              0
              • AndyBriceA AndyBrice

                @JKSH I tried a few things:

                Opening a url:
                window.open();

                Reading a file:
                new XMLHttpRequest();

                Accessing the registry:
                new ActiveXObject("WScript.Shell");

                None of these worked. So is there anything nasty I can do from inside QJSEngine? If so, what?

                JKSHJ Offline
                JKSHJ Offline
                JKSH
                Moderators
                wrote on last edited by JKSH
                #7

                @AndyBrice said in Security implications of running use script in QJSEngine:

                None of these worked. So is there anything nasty I can do from inside QJSEngine? If so, what?

                Oops, my apologies; I was thinking of QQmlEngine instead of QJSEngine. QQmlEngine does contain XMLHttpRequest, although it doesn't contain window or ActiveXObject (or FileReader et al.).

                If you're using QJSEngine without exposing any C++ objects to it, then I can't think of a script that does anything too terrible to your machine.

                It is possible to starve your engine of memory though:

                var giant = [];
                for (var i = 0; i < 1000000000; ++i)
                    giant[i] = new ArrayBuffer(1000000000)
                

                I don't think garbage collection can reclaim that memory, as the giant remains in the global object.

                If you don't get any definite answers here over the next few days, try subscribing to the Interest mailing list and asking there: https://lists.qt-project.org/listinfo/interest Qt engineers are active on that list; they should have deeper insights into QJSEngine.

                Qt Doc Search for browsers: forum.qt.io/topic/35616/web-browser-extension-for-improved-doc-searches

                AndyBriceA 1 Reply Last reply
                3
                • JKSHJ JKSH

                  @AndyBrice said in Security implications of running use script in QJSEngine:

                  None of these worked. So is there anything nasty I can do from inside QJSEngine? If so, what?

                  Oops, my apologies; I was thinking of QQmlEngine instead of QJSEngine. QQmlEngine does contain XMLHttpRequest, although it doesn't contain window or ActiveXObject (or FileReader et al.).

                  If you're using QJSEngine without exposing any C++ objects to it, then I can't think of a script that does anything too terrible to your machine.

                  It is possible to starve your engine of memory though:

                  var giant = [];
                  for (var i = 0; i < 1000000000; ++i)
                      giant[i] = new ArrayBuffer(1000000000)
                  

                  I don't think garbage collection can reclaim that memory, as the giant remains in the global object.

                  If you don't get any definite answers here over the next few days, try subscribing to the Interest mailing list and asking there: https://lists.qt-project.org/listinfo/interest Qt engineers are active on that list; they should have deeper insights into QJSEngine.

                  AndyBriceA Offline
                  AndyBriceA Offline
                  AndyBrice
                  wrote on last edited by
                  #8

                  @JKSH Thanks. I will reply here if I get any more insight.

                  1 Reply Last reply
                  0

                  • Login

                  • Login or register to search.
                  • First post
                    Last post
                  0
                  • Categories
                  • Recent
                  • Tags
                  • Popular
                  • Users
                  • Groups
                  • Search
                  • Get Qt Extensions
                  • Unsolved